Wednesday, February 12, 2025 08:01 +0100

Who Did It?

Articles » Log Changes to Router Configurations » Who Did It?

The Configuration Change Notification feature is configured within the log config part of the archive section, and its configuration is rather trivial:

You have to enable configuration change logging and specify the size of the logging buffer.
You might ask the router to create configuration-change-related syslog messages in plaintext or XML
It’s also a good idea to configure hidekeys to hide passwords and other sensitive information in the log buffer and syslog messages.

A typical configuration is shown in the following printout:

Configuration commands for Configuration Change Notification and Logging feature

archive
 log config
  logging enable
  logging size 200
  notify syslog
  hidekeys

After configuring the Configuration Change Logging, all configuration commands are stored in a circular buffer in the router’s memory (the log of changes is lost on reload).

You can inspect the commands with the show archive log config command, which displays all configuration commands recently entered on the router or commands entered by a particular user or even within a single configuration session (from the moment you enter configure terminal to the time you exit the configuration mode). A sample printout of this command is shown below:

Display of logged configuration commands

fw#show archive log config all
 idx   sess           user@line      Logged command
    1     1        console@console  |  logging enable
    2     1        console@console  |  logging size 200
    3     1        console@console  |  notify syslog
    4     2        console@console  |archive
    5     2        console@console  | log config
    6     2        console@console  |  hidekeys

If you’ve configured the notify syslog option of the log config configuration command, all configuration commands entered on a router are also sent to the logging subsystem, which delivers them to various logging destinations, including console and syslog hosts. The syslog messages usually contain the username and the configuration command, but they could also report changes in significant data structures. For example, if you add a local user with the username command, the router will generate the two syslog messages:

Syslog messages generated by security-relevant configuration command

fw#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
fw(config)#user x password y
01:43:06: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username x password *****
01:43:06: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!config: USER TABLE MODIFIED

Continue

Next: Summary